-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the poorMansFIM wiki!
Following, is an explanation of the How and WhereBy of using these fixlets/reports. This was originally created as a customer-project, and is generalized, here.
FIRM
Dec/Jan 2013-2014 v.6
-
- INTRODUCTION 3
-
- TO DO 3
-
- APPENDIX A: FIM REPORTS- EXPLANATION AND EXAMPLES: 4
-
- APPENDIX B: LIST OF MONITORED FILES/(REGISTRY KEYS FOR WINDOWS): 7
-
- APPENDIX C: FIM FIXLETS/ANALYSES: 15
The scope of this project will be to implement the FIM solution in a laboratory environment, using the BF Evaluation Software and execute the activities as defined below.
This will be done on Red Hat, Solaris, AIX, and Windows
The scope of this POC will include demonstrating the successful
∑ File Integrity Monitoring proof-of-concept
......
So, the intent of this File Integrity Monitoring implementation is to monitor specific files and/or directories for changes, and to notify the administrator when this happens.
Initially, a fixlet is run on a scheduled basis, which creates a timestamped list of specific monitored files/directories, and which saves the checksum of this list. If one of the monitored files changes, the original list is saved with a .bak extension, and an updated list is generated In the FIM2 client folder.
When the system ‘notices’ a change in ‘checksum’, a report is triggered, and is sent to the administrator who must investigate and resolve the condition.
Note that additional directories could be added, by modifying the ‘create’ and ‘reset’ fixlets for each of the tested platforms. For each added directory, a line of the form must be added, substituting the directory’s full pathname where in the place of of the red /sbin, below
{(if (exists it) then (pathname of it & " folder: " & modification time of it as string) else (it as string & "folder: <N/E>")) of folder "/sbin" | "/sbin folder: <N/E>"}
For each separate file, one would add a line (substituting the desired filename for the red /etc/passwd, below
{(if (exists it) then (pathname of it & ": " & modification time of it as string) else (it as string & ": <N/E>")) of file "/etc/passwd" | "/etc/passwd: <N/E>"}
The report contains the names of each file and it’s timestamp (see the two screenshots, below, which show the ‘report-triggering’ section of the WebReports interface:
Then, after appropriate investigation of the file-change, the administrator executes a ‘reset’ fixlet, which returns the system to it’s monitoring state. See Appendix C, below, for an example report, received when one of the targeted files was modified:
Red Hat:
- /etc/security/user
- /etc/security/login.cfg
- /etc/inetd.conf
- /etc/rc.tcpip
- /etc/inittab
- /etc/inetd.conf
- /etc/ftpusers
- /etc/mail/sendmail.cf
- /etc/security
- /etc/passwd
- /etc/group
- /etc/motd
- /etc/ntp.conf
- /etc/hosts.equiv
- /etc/tunables/nextboot
- /etc/security/limits
- /etc/security/audit/config
- /etc/usr/lib/security/mkuser.default auditclasses
- /etc/syslog.conf
- /etc/ssh/sshd_config
- /etc/shosts.equiv
- /etc/snmp.conf
- /etc/ntp.conf
- /sbin
- /bin
- /lib
- /mnt
- /mnt/floppy
- /root
- /boot
- /etc
- /etc/mtab
- /etc/shadow
- /etc/rc.d
- _/etc/pam.d _
- /etc/hosts
- /etc/hosts.allow
- /etc/hosts/deny
- /var/spool
- /var/spool/cron
- /var/spool/mqueue
- /var/spool/mail
Solaris:
- /etc/hosts.deny
- /etc/hosts.allow
- /etc/init.d
- /etc/default/login
- /etc/syslog.conf
- /etc/default/init
- /etc/hosts.equiv
- /etc/ssh/sshd_config
- /etc/pam.conf
- /etc/ftpd/ftpusers
- /etc/default/passwd
- /etc/passwd
- /etc/profile
- /etc/.login
- /etc/ftpd/ftpaccess
- /etc/motd
- /etc/issue
- /etc/ntp.conf
- /etc/default/telnetd
- /etc/group
- /etc/ldap.conf
- /var/ldap/ldap_client_file
- /etc/snmp.conf
- /sbin
- /bin
- /lib
- /mnt
- /mnt/floppy
- /root
- /boot
- /etc
- /etc/mtab
- /etc/shadow
- /etc/rc.d
- _/etc/pam.d _
- /etc/hosts
- /etc/hosts.allow
- /etc/hosts/deny
- /var/spool
- /var/spool/cron
- /var/spool/mqueue
- /var/spool/mail
AIX:
- /etc/security/user
- /etc/security/login.cfg
- /etc/inetd.conf
- /etc/rc.tcpip
- /etc/inittab
- /etc/inetd.conf
- /etc/ftpusers
- /etc/mail/sendmail.cf
- /etc/security
- /etc/passwd
- /etc/group
- /etc/motd
- /etc/ntp.conf
- /etc/hosts.equiv
- /etc/tunables/nextboot
- /etc/security/limits
- /etc/security/audit/config
- /etc/usr/lib/security/mkuser.default auditclasses
- /etc/syslog.conf
- /etc/ssh/sshd_config
- /etc/shosts.equiv
- /etc/snmp.conf
- /etc/ntp.conf
- /sbin
- /bin
- /lib
- /mnt
- /mnt/floppy
- /root
- /boot
- /etc
- /etc/mtab
- /etc/shadow
- /etc/rc.d
- _/etc/pam.d _
- /etc/hosts
- /etc/hosts.allow
- /etc/hosts/deny
- /var/spool
- /var/spool/cron
- /var/spool/mqueue
- /var/spool/mail
Windows:
- $(HKLM_WNTCV)\Winlogon|ScreenSaverGracePeriod
- $(HKLM_WNTCV)\Winlogon|cachedlogonscount
- $(HKLM_WNTCV)\Winlogon|defaultpassword value
- $(HKLM_WCV)\policies\system|legalnoticecaption
- $(HKLM_WCV)\policies\system|legalnoticetext
- $(HKLM_WCV)\Policies\system|DisableBkGndGroupPolicy
- $(HKLM_CCS)\Control\Lsa|FIPSAlgorithmPolicy
- $(HKLM_CCS)\Control\Lsa|RestrictAnonymous
- $(HKLM_CCS)\Control\Lsa|RestrictAnonymousSAM
- $(HKLM_CCS)\Control\Lsa|auditbaseobjects
- $(HKLM_CCS)\Control\Lsa|everyoneincludesanonymous
- $(HKLM_CCS)\Control\Lsa|nolmhash
- $(HKCU)\Control Panel\Desktop|ScreenSaveTimeOut
- $(HKLM_Services)\NetLogon\parameters|requirestrongkey
- $(HKLM_Services)\Netlogon\Parameters|DisablePasswordChange
- $(HKLM_Services)\Netlogon\Parameters|maximumpasswordage
- $(HKLM_Services)\Netlogon\Parameters|maxpasswordage
- $(HKLM_Services)\Netlogon\Parameters|refusepasswordchange
- $(HKLM_Services)\Netlogon\Parameters|requiresignorseal
- $(HKLM_Services)\Netlogon\Parameters|sealsecurechannel
- $(HKLM_Services)\Netlogon\Parameters|signsecurechannel
- $(HKLM_Services)\SNMP\Parameters\PermittedManagers
- $(HKLM_Services)\SNMP\Parameters\ValidCommunities
- $(HKLM_Services)\lanmanserver\parameters|enablesecuritysignature
- $(HKLM_Services)\lanmanworkstation\parameters|enableplaintextpassword
- $(HKLM_Services)\lanmanworkstation\parameters|requiresecuritysignature
- $(HKLM_Services)\lanmanserver\parameters|restrictnullsessaccess
- $(HKLM_Services)\lanmanworkstation\Parameters|enablesecuritysignature
- $(HKLM_Services)\LanmanWorkstation\Parameters|EnablePlainTestPassword
- $(HKLM)\Software\Policies\Microsoft\W32time\Parameters|NTPServer
- $(HKLM_CCS)\Control\Lsa|limitblankpassworduse
- $(HKLM_Services)\Eventlog\Security|WarningLevel
- $(HKLM)\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp|MinEncryptionLevel
- $(HKLM)\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp|MinEncryptionLevel
- $(HKLM)\SECURITY\Policy\Secrets\SAC
- $(HKLM)\SECURITY\Policy\Secrets\SAI
- $(HKLM)\SECURITY\SAM\Domains\Account
- $(HKLM)\SECURITY\SAM\Domains\Account\Users
- $(HKLM_CCS)\Control\LSA
- $(HKLM_CCS)\Control\LSA|LsaPid
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa|restrictanonymoussam
- Properties corresponding to each operating system were created (like FIM-WINcksumNotMatch), the relevance for which was:
line 1 of file "FIMwindows_dataChecksum.txt" of parent folder of regapp "BESClient.exe" != sha1 of file "FIMwindows_data.txt" of parent folder of regapp "BESClient.exe"
The equivalent relevance for each system was used in triggering the reports (see step 2, below)
- We created web reports of each of the analyses, above, and saved them as ‘public’, then ‘triggering’ them to be emailed, based on the following relevance (replace the names of the different operating systems where you see Win, below). For example, the ‘saved Windows analysis’ report was triggered by the following relevance:
disjunction of ((((value of it = "True") of results from (bes properties whose (name of it contains "FIM-WINcksumNotMatch")) whose(not error flag of it) of it )) of bes computers whose (operating system of it contains "Win"))
[the ‘translation’ of the above relevance is: ‘evaluate as true if any of the machines with the Windows operating system show the FIM-WINcksumNotMatch flag as ‘true’ (and do not indicate any errors)]
(See github repository <*.bes> for fixlets).